Vulnerabilities

End of Windows XP Support Means Added Opportunity for Hackers

Microsoft is counting down to the end of an era. On April 8, the company officially washes its hands of Windows XP, an operating system introduced in 2001 that comprises 45 million lines of code. You can watch the clock tick down in slightly eerie fashion, green boxes on a purple background, on Microsoft’s website, which also gives some pithy advice on what this means: “It means you should take action.”

Microsoft (MSFT)explains it quite clearly. “End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance,” the site reads. “Without Microsoft support, you will no longer receive security updates that can help protect your PC from harmful viruses, spyware, and other malicious software that can steal your personal information.”

This is a surprisingly big deal, says Jaime Blasco, head of the vulnerability research team at security company AlienVault. “Tons of Windows XP zero-day attacks are in the wild, and once Windows XP ends support, it means those vulnerabilities won’t be patched by Microsoft and users will be exposed,” he says.

After 12 years, and the introduction of newer operating systems, who the heck is still using XP? Many, many people, it turns out. It’s the second-most-used OS in the world, behind Windows 7, and its customers account for more than 18 percent of Internet users, according to StatCounter, which tracks 15 billion page views a month and the OS used for each. In the U.S., XP comes in third, at 15 percent, by StatCounter’s calculation.

Just fork over the cash and buy a new OS already, right? Not so simple in cases where systems were built around XP. There’s been quite a bit of coverage of the threat to ATMs, a large percentage of which run on software designed for XP. Another good example is industrial control systems whose infrastructure is running XP, and companies don’t want to risk updating their systems because the applications that handle critical processes could fail, says Blasco. Think electric utilities. Applications at risk include the human-machine interface that lets operators monitor and control industrial processes, created by third-party equipment vendors that have been slow to react to the end of XP support, Blasco says.

Another sector to worry about is health care. About 10 percent of health-care providers, from hospitals to individual doctors’ offices, are still using XP, making appealing targets for cyber-criminals because of the valuable patient information they handle, says Sam Glines, chief executive of Norse Corp., which tracks and analyzes cyberthreats.

Patient data sell for about 10 times more than traditional credit card data on the black market, because such information can be monetized in more ways, from Medicare and prescription fraud to identity theft, Glines says. “As support is dropped, the scale of attack and the scale of breach will increase dramatically.”

So as nice as it is for Microsoft to get lots of new customers for its other operating systems, and as glaring as the security risks of sticking with XP may be, plenty of businesses are likely to hang on to it for some time after the April 8 deadline.

“Companies spend substantially to customize products, like ATMs, for their enterprise,” says John Steven, internal chief technology officer of Cigital, a software security consulting company. “When these firms evaluate the cost of repeating this exercise on a new platform, it scares them away—regardless of the security (or other benefits) promised. Ultimately, firms tend to choose to stay with [the] devil they know—even without [a] prayer of improvement—over moving to the devil they don’t.”